IAM privilege escalation via undocumented CodeStar API
Published Tue, Jun 18th, 2019
Platforms
Summary
The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call. This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions, which would allow the user to escalate to full administrator access. Following disclosure, AWS removed the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if there are other misconfigurations in the environment.
Affected Services
Codestar
Remediation
If not using the CodeStar service, ensure that the “aws-codestar-service-role” is removed from all your accounts. Apply principle of least privilege to all CodeStar-related resources to ensure the codestar:CreateProjectFromTemplate permission is only granted when absolutely necessary. Implement monitoring on any users with access to the codestar:CreateProject and iam:PassRole actions to detect potential escalation attempts.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/blakedunson
Entry Status
Finalized
Disclosure Date
Tue, Mar 19th, 2019
Exploitability Period
Ongoing
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Spencer Gietzen, Rhino Security Labs
